Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The EPA doesn't know what clouds it has -- and neither do you

David Linthicum | Aug. 5, 2014
A federal audit shows what's probably true at most enterprises: Cloud services are hiding in the shadows of IT

Do you know how much cloud computing is really going on in your organization? If you're like IT management in most companies and government agencies, you don't have a clue.

For example, the Environmental Protection Agency (EPA) doesn't know how many cloud computing contracts it has or how secure they are, according to a recent audit by the agency's inspector general, in a report released last week. In at least one instance, the EPA may not have had access to a subcontractor's cloud for investigative purposes. Worse, that same subcontractor was not compliant with the Federal Risk and Authorization Management Program (FedRAMP), which sets security standards for cloud providers.

Most IT leaders don't have a real understanding of how many cloud computing (or other technology) resources are being used -- and to what extent -- right under their noses. It's called "shadow IT" for a reason: Those technologies are in the shadows.

Why don't most enterprises and government agencies understand the full use of cloud computing in their own organizations? Because it's so easy to become a public cloud subscriber. While the EPA has to deal with special regulations applicable only to government agencies (thus the audits), enterprises have to deal with industry compliance issues that are just as risky if violated -- perhaps more so.

Of course, those who find "shadow IT" going the cloud route can take a tyrannical approach to governance and take hard stands against those who use cloud-based resources without permission. Personally, I think that sends the wrong message. In my experience, it's never a good idea to squash people's abilities to solve their own problems.

However, I also see where that unbridled use of public clouds could end up costing much more than their benefits. The enterprise may face fines for violating laws or have to deal with the complexity of having too many cloud providers in use.

A compromise must be struck, figuring out where to draw the line between risk and productivity. I know where I would draw it. Do you?

Source: InfoWorld


Sign up for Computerworld eNewsletters.